Security Bulletins
Fixes available for vulnerability in CNI IPv6 route advertisement
Description | Severity | Notes |
---|---|---|
Fixes available for vulnerability in CNI IPv6 route advertisementReference: TTA-2020-001 | MEDIUM | N/A |
Summary
Clusters using IPv4 may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with default privilege is able to reconfigure the node’s IPv6 interface and redirect traffic from the node to the compromised pod. This includes traffic to domains that offer an IPv6 address that would otherwise have been reached by IPv4. Upgrade to latest Calico or Calico Enterprise releases to close this vulnerability. An initial severity medium has been given for this vulnerability.
CVE-2020-13597 has been reserved and will be updated with the relevant information.
Severity
MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/
Affects clusters using Calico, and Calico Enterprise as the CNI plugin. Cloud provider managed clusters may not be affected, please consult cloud provider’s advisory.
An attacker controlled pod with CAP_NET_RAW capability can send “rogue” IPv6 route advertisements to the node’s interface and reconfigure the node’s interface to redirect part or all of the IPv6 traffic to the compromised pod. Being able to intercept traffic to the node may allow the attacker to see sensitive data sent.
More information can be found at: https://github.com/kubernetes/kubernetes/issues/91507
Affected Releases
Calico
- 3.14.0
- 3.13.3 or earlier
- 3.12.1 or earlier
- 3.11.2 or earlier
- 3.10.3 or earlier
- 3.9.5 or earlier
- 3.8.8 or earlier
- and all previous versions
Calico Enterprise (3.0 not affected)
- 2.8.2 or earlier
- 2.7.4 or earlier
- 2.6.2 or earlier
- and all previous versions
Indicators of Impact/Compromise
Presence of unexpected IPv6 routing.
Workaround / Remediation
In order to exploit this vulnerability, a malicious pod must have the CAP_NET_RAW capability, and the host node interfaces have IPv6 route advertisements enabled. You can prevent this by:
Setting all running pods to be non-root and drop CAP_NET_RAW capability using PodSecurityPolicy.
SSH into the host node to manually disable IPv6 route advertisement by setting /proc/sys/net/ipv6/conf/{all,
Fixed Software
Calico
- 3.14.1
- 3.13.4
- 3.12.2
- 3.11.3
- 3.10.4
- 3.9.6
- 3.8.9
Calico Enterprise
- 3.0.0
- 2.8.3
- 2.7.5
- 2.6.3